Information Technology Sector Risk Management Stra

InformationTechnologySectorRiskManagementInformationTechnologySectorRiskManagementStrategyfortheProvideDomainNameResolutionServicesCriticalFunctionJune2011InformationTechnologySectorRiskManagementContentsExecutiveSummary.......................................................................................................................................i1InformationTechnologySectorRiskManagementOverview................................................................12RiskOverview–ProvideDomainNameResolutionServicesCriticalFunction....................................23ProvideDomainNameResolutionServicesRiskManagementStrategy.............................................43.1RiskofConcern–InformationDisclosure/PrivacyLoss(ManmadeUnintentional)......................63.1.1RiskOverview...........................................................................................................................63.1.2RiskResponse..........................................................................................................................73.2RiskofConcern–PolicyFailure:BreakdownofSingle,Interoperable,GlobalInternet(ManmadeDeliberate).............................................................................................................................103.2.1RiskOverview.........................................................................................................................103.2.2RiskResponse........................................................................................................................113.3RiskResponsetoLargeScaleAttackonInfrastructure:DenialofService(ManmadeDeliberate)163.3.1RiskOverview.........................................................................................................................163.3.2RiskResponse........................................................................................................................18FiguresFigure1:ProvideDomainNameResolutionServicesAttackTree(Summary)...........................................3Figure2:ProvideDomainNameResolutionServicesRelativeRiskTable.................................................4Figure3:InformationDisclosure/PrivacyLoss(DNS3)...............................................................................7Figure4:EffectivenessofProposedMitigationStrategytoInformationDisclosure/PrivacyLoss...............8Figure5:BreakdownofSingle,Interoperable,GlobalInternet(DNS1).....................................................11Figure6:EffectivenessofProposedMitigationStrategytoBreakdownofSingle,Interoperable,GlobalInternet........................................................................................................................................................15Figure7:DenialofServicebyLargeScaleAttackonInfrastructure(DNS2a)..........................................18Figure8:EffectivenessofProposedMitigationStrategytoLargeScaleAttackonInfrastructure.............20TablesTable1:DNSRiskandMitigationOverview.................................................................................................iiTable2:ITSector‘sHighConsequenceRisksforDNS...............................................................................2Table3:DNSRiskandMitigationOverview.................................................................................................5Table4:FeasibilityofProposedMitigationStrategytoInformationDisclosure/PrivacyLoss......................9Table5:FeasibilityofProposedMitigationStrategytotheBreakdownofSingle,Interoperable,GlobalInternet........................................................................................................................................................16Table6:FeasibilityofProposedMitigationStrategytoLargeScaleAttackonInfrastructure....................21ExecutiveSummaryPublicandprivateInformationTechnology(IT)Sectorownersandoperatorscompletedthefirst-everfunctions-basedriskassessmentinAugust2009.TheITSectorBaselineRiskAssessment(ITSRA)assessesrisksfrommanmadedeliberate,manmadeunintentional,andnaturalthreatsusingthreat,vulnerability,andconsequenceframeworkswithintheSector‘sriskassessmentmethodology.TheITSRAresultedinacomprehensivebaselineITSectorRiskProfilethatidentifiesnational-levelrisksofconcernfortheITSector.Publicandprivatesectorpartnerscollaborativelydevelopedtheassessment,whichreflectsparticipatingsubject-matterexperts‘(SME)expertiseandcollectiveconsensus.SectorpartnersaresystematicallyaddressingtherisksofconcernforeachcriticalfunctionbyengaginginriskmanagementanalyseswhereinSMEsassessthemeritsanddrawbacksoftakingoneoffourapproachestoriskmitigation:Avoidtherisk;Accepttheriskanditspotentialconsequences;Transfertherisktoanotherentity,capability,orfunction;orMitigatetheriskbypreventativeorproscriptiveaction.Wheremitigationisthepreferredriskresponse,ITSectorpartnersidentifyappropriateRiskMitigationActivities(RMA)toreducenational-levelrisksacrosseachcriticalfunctionbasedonSMEinput.Theidentifiedriskresponsesandtheprioritizationofth